Hey, Sorry Gord, if it isn't Windows(r) Genuine Advantage, then I can't comment on quality or feature set :-) If you are running WINE or something that emulates the event log service, then you could use EvtOpenLog <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wes/we s/evtopenlog.asp?frame=true> to open the evt file and then use ReadEventLog, etc. or even WMI to extract the event data- very straightforward, lots of sample <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/eventl og/base/reading_the_event_log.asp> code lying around on the internet. The log itself is not much more than a series of EVENTLOGRECORD <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/eventl og/base/eventlogrecord_str.asp> structures; I'll bet you can find it documented on the internet somewhere. Or you can use a 3rd party tool like Rainer's that can read the eventlog file format. Best regards, Eric ________________________________ From: Gord Taylor [mailto:taylorgo@private] Sent: Tuesday, August 15, 2006 11:40 AM To: Eric Fitzgerald Cc: loganalysis Subject: Re: [logs] CIFS Auditing log from NetApp Thanks Eric, I wasn't aware of that registry value, so that may prove handy for other things. However, NetApp isn't running a real version of Windows. It's running a Linux variant, which "emulates" CIFS, and as far as I know, it doesn't have a "registry" equivalent. I believe that's why it really logs to cifsaudit.alf, then does a periodic bulk-export to the .EVT file format. Not sure how they're emulating language (string) files etc, but I imagine they're just intercepting the inbound API calls, working some foo, then passing the buffer back to the caller. Unless you know something I don't - and there is a config that works with NetApp?? Right now, I can log files from almost all our platforms, but the CIFSAudit log is a problem since it is neither a flat file, nor a true windows system (so I can't install an agent). I can periodically pull data from the eventlog, but then that causes me problems with either a) duplicate records will many of the free/opensource tools for remotely pulling eventlog files or b) loss of data if the eventlog overwrites. This is why I prefer real-time a.la syslog style. Anyone from NetApp on this distrib? I can go through our reseller, but they're just going to forward the question, so if I can get a response direct from someone who has actually done this, I'd prefer it - and it would benefit the list. On 8/14/06, Eric Fitzgerald <Eric.Fitzgerald@private> wrote: Search for "autobackuplogfiles" in the KB (www.microsoft.com/support/kb ). From: loganalysis-bounces+ericf= windows.microsoft.com@private <mailto:windows.microsoft.com@private> [mailto:loganalysis-bounces+ericf=windows.microsoft.com@private ] On Behalf Of Gord Taylor Sent: Friday, August 11, 2006 6:17 AM To: loganalysis Subject: [logs] CIFS Auditing log from NetApp I'm looking to consolidate the logs on a NetApp server. For most of the logs, this looks pretty simple - standard syslog stuff. But for the filesystem auditing (cifsaudit), NetApp does a periodic write to the adtlog.evt file from (I believe) the cifsaudit.alf file. Anyone know if there is a way to PUSH the cifsaudit stuff from the NetApp box rather than doing periodic exports of the EVT file??? Thanks in advance. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Aug 21 2006 - 14:07:43 PDT